Perhaps because the US government is widely known for adopting 256-bit AES encryption to protect its high-sensitivity data, it is becoming increasing common to see VPN providers also offering this level or higher of encryption for their services.
As we discuss in some detail in this article, 128-bit encryption (such the Blowfish encryption used as default by OpenVPN) has yet to be cracked by a brute force attack, and is very unlikely to be so for at least the next hundred or so years. Just consider that a 128-bit key would require 3.4 x1038 operations to crack, which would take the fastest supercomputer in the world (in 2011, the Fujitsu K computer based in Kobe, Japan, which can reach peak speeds of 10.51 pentaflops) 1.02×1018 (approximately 1 billion years) to do.
In other words, levels of encryption higher than 128-bit are unnecessary, and can in theory slow down a VPN’s service as its servers have to dedicate more processing power to performing the extra (2128 times the length) math necessary to encrypt and decrypt the keys. However, as real-world tests such as this one demonstrate, the impact can be pretty minimal, and it is unfair to criticise VPNcos for trying to match the demands of their customers.
So if 128-bit encryption can’t be cracked by brute force, and 256-bit encryption is 2128 harder than that, what of VPN companies that offer even higher levels of encryption? While the simple (and largely accurate) answer is that it is a just a marketing gimmick, the fact remains that there are those out there, who for whatever reasons, feel safer when protected by the highest levels of encryption yet devised by mankind, and where there is demand there will always be companies happy to provide.
An important thing to remember is that brute force attacks (which will almost certainly fail) are not the only means of obtaining encryption keys. A common analogy is that of a burglar faced with an impassable door. Making the door even more impassable will make no difference to the burglar (as he can’t get through it anyway), so instead he will smash the window next to it and enter that way. In the real world the means to ‘smash the window’ can range from high-tech (such as using key logging programs to spy on people’s computer input), to depressingly low tech (torture, blackmail and the like).